A word of caution to any Android users who downloaded an app over the past weekend promising pictures of the next Twilight film: Next time, your obsession with vampires might just turn your phone into a zombie.
In a talk at the hacker conference SummerCon last Friday, researcher Jon Oberheide gave a demonstration of just how easy it may be to infect large numbers of phones running Google’s Android OS with hidden software that turns the devices into a zombie-like “botnet” under the control of a cybercriminal–particularly if that software associates itself with a phenomenon as popular and tween-entrancing as the upcoming Twilight Eclipse film.
Oberheide focused on what may be a serious security weakness in Android’s App Market: that apps don’t have to ask permission from a user to fetch new executable code. Even after an app has been approved for downloads in Google’s market, Oberheide says, it can still metamorphose at will into a much less friendly program.
Oberheide, who works for security startup Scio Security, developed an application called “RootStrap” to demonstrate that trust problem for Android apps. After it’s installed, Rootstrap periodically “phones home” to check for any new code that Oberheide wants to add to the program, including any hidden control program or “rootkit” that he wished to install–hence the program’s name. “This is probably the most effective way to build a mobile botnet,” Oberheide told SummerCon’s audience of hackers and security researchers.
But how to convince legions of Android users to download this potentially malicious software? Hide it in a convincingly harmless-looking app. Or, better yet, tap into the hysteria around the Twilight film series and cloak it as a collection of the upcoming film’s preview pics, as Oberheide did. Within just 24 hours of uploading the app to Google’s platform last Thursday, 200 users had downloaded it without realizing they were potentially offering up their phones for Oberheide to hijack. “If the app were a little more fun I could have gotten a much bigger install base,” he says.
To take over those users’ phones, Oberheide would have also needed to exploit a vulnerability in Android’s Linux-based operating system. But he says that would have been fairly easy to pull off. According to research by the non-profit MITRE Corporation, there were 47 critical vulnerabilities in Linux found last year, up from just 27 in 2008. And Google has been slow to patch those vulnerabilities in Android, Oberheide says, often pushing out fixes to just a segment of users as a test before fully patching phones weeks later. “It’s absolutely trivial to win this race,” he says.
In an interview, Google’s Android security lead Rich Cannings responded to Oberheide’s hack, pointing out that without exploiting a bug in Linux, Android apps are limited to the permissions that users initially set for them. The ability to “fetch” new executable code, he argues, is a common trait across many mobile and desktop platforms.
As for Linux’s security, Canning says the operating system is no less secure than any other platform, though “every system is too complex to be absolutely secure,” he admits. “There are going to be security issues in Android and every other platform out there. The key thing is minimize the damage across our userbase,” with tools like patch updates and Google’s “kill switch” for apps, which can shut down applications remotely on all Android phones if necessary. (It’s never yet been used.)
Like most researchers who publicly reveal their hacks, Oberheide isn’t aiming to hijack users’ phones–only to demonstrate the vulnerability of Google’s system in the hopes that the company will fix the problem. If it doesn’t, it may be only a matter of time until a hacker with less scruples and less regard for Robert Pattinson fans discovers the same trick.
No comments:
Post a Comment